Published

The perils of privacy in the enterprise

When I show people our collaboration solutions, I talk about the commercial benefits and the possibilities of changing how we work. I describe how people can now shape their reputation through on-line, public contribution and unlock access to opportunities.

Eyes shine. Heads nod.

And one of the first questions, invariably, is:

“How can I restrict who sees it?”

Who “needs to know”?

In large firms, particularly regulated firms, there are laws that restrict who can see what. So the ability to restrict access must be a part of any collaboration solution.

The issue arises when we over-use that ability.

Simply put, the vast majority of the work people do can and should be shared openly.

Here’s a quote from the commission that investigated 9/11, decrying the “need to know” policy at the CIA:

“The biggest impediment to all-source analysis…is the human or systemic resistance to sharing information…. [The ‘need to know’] system implicitly assumes that the risk of inadvertent disclosure outweighs the benefits of wider sharing. Those Cold War assumptions are no longer appropriate.” – The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States, (WW Norton: New York, 2002), 416-17.

3 extraordinary costs of privacy

It’s not that “information wants to be free.” (If you’re discussing a potential acquisition or an employee relations issue, then you need to limit who participates in those discussions.)

It’s that restrictions have a cost. And these costs should be considered before you restrict anything. Here are just 3 examples.

Cost of missed opportunities

The book “If only we knew what we know” describes at length the costs of barriers to internal knowledge transfer. (The title was inspired by a quote from HP’s CEO, Lew Platt, in 1993: “If only HP knew what HP knows, we would be three times more productive.”)

Common corporate slogans like “Deliver the firm” all embrace connecting different parts of the firm to deliver extra value for the customer. But it’s hard to connect the dots if the dots are hidden.

Cost of administering entitlements

Every restriction is an explicit rule that must be maintained. As organizations churn and needs change, those rules have to be updated, imposing an administrative burden on the firm. Even worse, given the complexity of some rules, that burden may fall on highly-skilled people.

Cost of information leakage

While controls may help prevent leakage, they work only up to a point. Complexity is the enemy of good governance. And a complex web of entitlements, difficult to maintain, will ultimately lead employees to use more convenient – and less secure – ways of sharing information.

Start by being open

What bedevils many social business efforts is the “implicit assumption” described by the 9/11 Commission: that the risk of inadvertent disclosure outweighs the benefits.

In the enterprise, the natural inclination will be to limit access to the information within teams. This, in effect, casts the intranet and firm knowledge in the shape of the org chart.

You have to fight that inclination. The CIA describes their desire for a nuanced approach:

“The 9/11 Commission found great fault with the stovepiping and bureaucratic hoarding of national security information, some of which (in proper hands and at the right time) might have aborted or altered the devastating terrorist assaults in New York, Washington, and in the skies over Pennsylvania in September 2001. The recipe for correction, however, was an overstated, virtually unqualified call for greater sharing of information–an implicit overturning of the prevailing “need to know” culture, one admittedly in need of revision.

The challenge for the IC [Intelligence Community] is to right the balance between finding the appropriate safeguards and compartmentation of information on the one hand, while on the other sustaining candid, analytical reporting from across the world…”

“Balance.” That’s the key word in that quote.

Even the CIA sees the need for balancing openness and restricted sharing – and your firm isn’t the CIA.

Before you think about locking things down, consider the costs and consider the alternatives. Start with an open system of sharing information and restrict access only when it’s required or has true business value for the firm.

Share this:

Published

John, good points. Access Control is an ‘overhead’ for software projects.
However, I think 9/11 report encouraged information sharing ‘within’ the intelligence/law-enforcement community — not between un-related entities or an unsuspecting public.

Access control is a form of a rather intrusive ‘operational risk management’ system (there are many others).

Properly implemented access control not just restricts/allows access to information but also collects and analyses the ‘behavioral’ pattern for the information access/change. The pattern analysis then– is a more sophisticated form of risk management (can detect suspicious behavior — well before the damage is done). This way a good access control system ‘simplifies’ the manual work to be done by compliance.